Staysure said that three-digit Card Verification Value (CVV) numbers from the payment cards of some policy holders, in addition to other personal information, were compromised following a cyber attack in October 2013.
"In that attack, encrypted payment card details of customers who purchased insurance from us before May 2012 were stolen, along with CVV details and customer names and addresses. From May 2012 we ceased to store this data," Ryan Howsam, chief executive of Staysure, said in a statement.
Howsam said the company reported the data breach to "the relevant card issuing bodies" as well as the Information Commissioner's Office (ICO), the Financial Conduct Authority (FCA) and the police. He apologised to customers and said that Staysure had engaged "forensic data experts" as well as offered individuals affected free access to identity monitoring services.
"We immediately removed the software and systems that the attackers exploited, and we are confident that we have taken the right steps to protect our customers in the future," Howsam said. "We are deeply sorry that this has happened and are working diligently to make sure that inconvenience to customers is minimised."
Payments and technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that businesses are prohibited from storing the CVV numbers under the Payment Card Industry Data Security Standards (PCI DSS).
"This is to ensure the effectiveness of the additional security that the CVV numbers provide for online and telephone transactions," McFadyen said. "Being in breach of the rules, either as a merchant or another operator in the payments chain, puts you at a high risk of fines from the card schemes and other liabilities being incurred."
The ICO has previously said that retailers that fail to store payment data in accordance with PCI DSS "or provide equivalent protection when processing customers' credit card details" could be held to be in breach of the Data Protection Act (DPA). The watchdog told Out-Law.com that it is investigating the circumstances of the Staysure hacking attack. The ICO has the power to issue companies with fines of up to £500,000 for serious breaches of the DPA.
"We have recently been made aware of a possible data breach which may involve Staysure," a spokesperson for the ICO said. "We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken."
New PCI DSS rules were finalised in November last year. Under the old and the new version of the rules, businesses are prohibited from storing "the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions".
According to guidance associated with the new version of the rules, there is a risk that "malicious individuals can execute fraudulent internet and [mail order/telephone order] transactions" if the data is stolen.
The new rules, however, state that companies that issue payment cards or "support issuing services" can store sensitive authentication data – such as "full track data", card validation codes or values or PIN data – as long as "there is a business justification" for doing so and the data is stored securely.
Some of the new PCI DSS rules are currently in force but others are being treated as 'best practice' recommendations for a time to give companies time to adhere to the new standards. The old framework remains active until the end of 2014. It contains a similar prohibition on the storage of CVV numbers by retailers.
Regulators assessing Staysure's data breach are likely to assess the company's compliance with the old PCI DSS regime as opposed to the new rules since the timing of the breach occurred in October prior to the new rules taking effect.